# Webapp Enum Methodology

 

1. Enumerate Services running with nmap
2. View page source, look for versions, comments,hyperlinks
3. Add the target to /etc/hosts (particularly for wordpress)
4. Remember to try BOTH http and https
5. Inspect element and check response headers
6. use dirb/gobuster/ferox/ffuf , try different wordlists 
7. Speaking of wordlists, use custom and service specific (.cgi)
8. Look for subdomains with wfuzz (refer to "tools" node)
9. Use whappalyzer and whatweb to discover services running
10. Check certificates and see if there's anything juicy
11. Check robots.txt and any disallowed entries
12. Check for default creds for a specific service running
13. Bruteforce login pages as a last resort, try common combos
14. Check for SQLi and XXS 
15. See if a path traversal is possible, then --> RCE/LFI
16. If RCE gets hard, try php filters
17. Check if you can steal or manipulate cookies in any way
18. Cookie flag IsAdmin=false , change it to IsAdmin=true
19. Intercept requests with burp and look for versions, software..
20. Searchsploit should be the last step, enumerate first!